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ABSTRACT 


Part  of  the  information  services  program  uses  security  protection  of  corporate 
information  systems  and  software  in  its  three  major  components—people,  administra- 
tion, and  technology.  The  study  analyzes  and  defines  strategies  offering  increasing 
levels  of  security  with  respect  to  mainframes,  networks,  and  intelligent  terminals, 
including  word  processors  and  personal  computers.  Together  with  layered  technology 
as  the  core,  defense  represents  the  basic  strategy  for  protecting  the  corporate 
software  investment. 

This  report  contains  77  pages,  including  15  exhibits. 
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INTRODUCTION 


BACKGROUND 

The  magnitude  of  the  computer  security  problem  is  just  becoming  apparent. 
A  recent  investigation  of  the  American  Bar  Association  revealed  that  nearly 
50%  of  the  300  respondent  companies  reported  losses  of  from  two  to  ten 
million  dollars.  These  losses  resulted  from: 

Unauthorized  computer  use. 

Theft  of  software. 

Theft  of  assets. 

The  survey  showed  that  computer  crime  losses  were  predominantly  from 
within  the  organization. 

Executives  felt  that  the  gap  between  computer  technology  and  security  was 
widening. 

It  is  difficult  to  impress  upon  management  that  a  magnetic  tape  (or  micro 
disk)  costing  well  under  $100  contains  information  valued  at  over  several 
million  dollars. 
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•  The  object  of  this  Information  Systems  Program  (ISP)  report  on  Protecting  the 
Corporate  Systems  and  Software  Investment  is  to  evolve  strategies  of  pro- 
tecting software  (developed  in-house  or  acquired)  from  loss  or  unauthorized 
access  in  the  mainframe,  distributed,  and  personal  computer  environments. 


•  The  subject  chosen  resulted  from  high  client  interest,  a  rapidly  changing 
information  processing  operating  environment  due  to  personal  computers,  and 
the  growing  importance  of  computer  information  security  to  corporate 
management. 

•  This  report  is  targeted  toward  the  information  systems  manager,  the  vice 
president  of  administration,  and  the  corporate  security  director. 

B.       SCOPE  AND  METHODOLOGY 


•  Although  this  report  includes  a  global  discussion  of  information  system 
security,  its  main  focus  is  on  the  security  of  software  (both  applications  and 
systems  software)  that  has  been  developed  in-house  or  acquired.  The  report 
considers  software  security  with  respect  to  utilization  on  host  processors,  the 
distributed  environment,  and  personal  computers. 

•  The  report  can  be  used  as  an  aid  in  planning  for  software  security  in  a  rapidly 
changing  information  systems  environment,  including  distributed  processing 
and  widespread  use  of  personal  computers. 

•  The  research  program  consisted  of  interviewing  both  vendors  (ten)  and  users 
(six),  particularly  users  involved  with  security  issues  related  to  micro- 
computers. Additional  material  was  gathered  from  interviews  with  industry 
experts,  from  INPUT'S  research  file,  and  from  an  extensive  literature  search 
and  analysis. 
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The  research  summary  analysis  and  findings  are  organized  in  the  following 
manner: 

Chapter  II  is  the  executive  summary  in  presentation  format  and  a 
supporting  discussion. 

Chapter  III  covers  the  personnel  issues  related  to  protecting  the 
corporate  systems  and  software  investment. 

Chapter  IV  outlines  the  process  of  and  options  in  developing  a  software 
security  methodology. 

Chapter  V  presents  strategies  for  designing  and  developing  secure 
systems  and  application  software. 

Chapter  VI  examines  the  implications  of  and  emerging  technology 
related  to  protecting  corporate  systems  and  software  in  the  micro- 
computer and  distributed  processing  environment. 

Chapter  VII  summarizes  and  recommends  personnel,  administrative, 
and  technology  strategies  to  protect  the  corporate  systems  and  soft- 
ware investment  in  a  rapidly  changing  information  systems 
environment. 

Appendix  A  contains  specialized  definitions  that  relate  to  computer  informa- 
tion system  security. 

A  related  INPUT  report  is  contained  in  Appendix  B. 
The  vendors'  questionnaire  is  found  in  Appendix  C. 


-3  - 


©  1984  by  INPUT.  Reproduction  Prohibited. 


INPUT 


-4- 


EXECUTIVE  SUMMARY 


Note:  This  executive  summary  is  designed  in  a  presentation  format  in  order 
to: 

Help  the  busy  reader  quickly  review  key  research  findings. 

Provide  ready-to-go  executive  presentations  complete  with  a  script,  to 
facilitate  group  communication. 

The  key  points  of  the  entire  report  are  summarized  in  Exhibits  II- 1  through  II- 
3.  On  the  left-hand  page  facing  each  exhibit  is  a  script  explaining  its 
contents. 
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ESTABLISH  A  BASELINE  FOR  INFORMATION  SYSTEMS  AND 


SOFTWARE  PROTECTION 


•  The  transfer  of  electronic  intelligence  from  the  data  processing  center  to  the 
user  environment  makes  protecting  information  systems  and  software  a 
people,  and  hence  a  top  management,  problem.  It  is  essential  that  corporate 
management  be  aware  of  the  awakening  security  giant  and  be  involved  in  the 
strategies  of  protecting  the  corporate  information  nerve  centers  used  to 
conduct  corporate  business  activity. 

•  The  key  to  coping  with  information  systems  dynamics  is  the  careful  selection 
of  the  security  director,  placement  of  this  officer  high  in  the  corporate  organ- 
ization, and  backing  of  the  officer  by  top  management. 

•  Protecting  the  corporate  system  and  software  investment  is  in  the  final 
analysis  the  responsibility  of  we  1 1 -motivated  users  at  each  corporate  level. 
Education  promoting  awareness  and  responsibility  best  motivates  personnel  to 
maintain  the  protection  of  corporate  trade  secrets,  information  systems,  and 
software. 

•  Cost-effective  layering  of  corporate  information  systems  and  software  with 
available  and  emerging  security  technologies  in  the  mainframe,  user  network, 
and  intelligent  teminal  areas  can  raise  the  ante  for  committing  fraud  to 
prohibitively  high  or  at  least  insurable  levels. 
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EXHIBIT  11-1 

ESTABLISH  A  BASELINE 
FOR  INFORMATION  SYSTEMS 
AND  SOFTWARE  PROTECTION 

•  Involve  Top  Management 

•  Carefully  Select  and  Place  Security 
Director 

•  Motivate  Users  to  Be  Responsible 

•  Use  Multiple  Physical  Protection 
Strategies 

•  Layer  Technology  as  the  Core  Defense 
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B.       SECURITY  PROTECTION  IS  A  THREE-DIMENSIONAL  ASSESSMENT 


•  Strategies  for  protecting  the  corporate  information  systems  and  software 
investment  are  assessed  in  three  dimensions:  (I)  people  really  count,  (2)  good 
administration  is  a  necessary  component,  and  (3)  technology  is  the  first  line  of 
defense. 

•  Strategies  related  to  users  at  all  levels  include:  (I)  corporate  security  policy 
(which  is  promulgated  and  backed  by  top  management  and  incorporates  user 
responsibilities),  a  code  of  ethics,  and  risk  assessment;  (2)  selection  of  a 
security  director  experienced  in  company  operations,  placed  high  in  the 
corporate  organization,  and  backed  by  and  responsible  to  top  corporate 
management;  (3)  heightened  user  awareness  through  continued,  varied,  and  up- 
to-date  briefings  to  small  groups  of  users  and  executives;  and  (4)  personnel 
strategies  that  include  background  investigation,  hiring  and  termination 
procedures,  annual  security  evaluations  and,  as  necessary,  separation  of 
duties. 

•  Basic  administrative  strategies  include  fire  protection  with  preferably  halon 
systems;  duplicate  storage  of  system  applications  software,  preferably 
encrypted  and  at  two  outside  secure  locations;  legal  protection  through  copy- 
right and  trade-secret  registration;  and  insurance  under  complying  conditions 
against  both  fraud  and  disaster. 

•  Use  of  technology  to  protect  corporate  information  systems  and  software  as 
the  first  line  of  defense  requires  cost-effective  selection  of  available  and 
emerging  technologies  for  (I)  host  processors  including  mainframes  and  dis- 
tributed minis,  (2)  user  networks  including  telecommunication  and  LANs,  and 
(3)  intelligent  terminals  including  word  processors  and  personal  computers. 
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EXHIBIT  11-2 

SECURITY  PROTECTION  IS 
A  THREE-DIMENSIONAL  ASSESSMENT 


Technology 


•  Host  Processors 

•  User  Networks 

•  Intelligent  Terminals 
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C.       LAYERED  TECHNOLOGY  IS  THE  CORE  DEFENSE 


•  The  first  line  of  defense  for  protecting  the  corporate  information  systems  and 
software  investment  is  carefully  selecting  multiple  and  independent  tech- 
nologies available  for  the  host,  including  mainframe  and  distributed  proces- 
sors; user  networks  (including  telecommunications  and  Local  Area  Networks 
(LANs));  and  intelligent  terminals  (including  word  processors  and  personal 
computers). 

•  Security  options  available  at  host  processors  include  operating  system  add-on 
security  monitors;  selectively  available  secure  operating  system  kernels;  the 
application  of  formal  structure  design  methodologies  and  structured  pro- 
gramming to  in-house  and  contractor-developed  software;  and  the  application 
of  secure  change  control,  including  checking  for  clearing  main  and  scratch  pad 
memory,  trap-doors,  and  Trojan  horses. 

•  Encryption,  both  private  and  public  key;  authentication,  including  user,  host, 
and  tap-proof  fiber  optic  LANs;  and  multiline  telephone  access  controllers  are 
technologies  available  to  protect  user  networks  at  selected  levels  of  cost- 
effective  security. 

•  Protecting  corporate  information  systems  and  software  contained  in  intelli- 
gent terminals  in  the  user  environment  represents  the  most  rapidly  growing 
area  of  vulnerability.  Available  technologies  include  secure  microprocessors 
(Intel  iAPX286),  secure  software  microdisks  (PROLOK),  terminal  identifiers, 
and  microprocessor-encapsulated,  active  (smart)  plastic  cards. 
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EXHIBIT  11-3 


LAYERED  TECHNOLOGY  IS  THE 
CORE  DEFENSE 


Intelligent  Terminals 


User  Networks 


•  Secure 
Microprocessors 


•  Encryption 

•  Authentication 


•  Secure  Microdisks  /  Corporate 

Information  \      •  Fiber  Optics 
Systems  and 
Software         v     •  Telephone  Access 
Smart  Cards  /  \  Controllers 


Host  Processors 


Security  Monitors 


•  Secure  Operating  System  Kernels 


•  Formal  Design  Methodologies 


•  Structured  Programming 

•  Change  Control 
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Ill 


A, 


PEOPLE,  THE  KEY  TO  SYSTEM  AND  SOFTWARE  SECURITY 
SECURITY,  A  TOP  MANAGEMENT  RESPONSIBILITY 


•  Of  the  26  possible  threats  to  corporate  information  systems  shown  in  Exhibit 
III- 1,  nearly  70%  are  countered  by  good  operational  practices,  physical 
security,  and  personnel— all  of  which  are  the  responsibility  of  top 
management. 

•  The  Information  Systems  (IS)  manager,  chief  of  the  vault  where  valuable 
electronic  resources  are  stored,  has  responsibility  for  defending  against 
threats  to  the  core  of  the  corporate  information  system. 

•  Experience  has  shown  that  the  major  vulnerability  is  within  the  organization, 
often  with  trusted  employees  who  know  how  the  company  and  the  information 
system  work. 

•  Top  management  involvement  is  a  top  priority  requirement  when  establishing 
a  baseline  for  information  security.  Corporate  policy— -a  joint  effort  between 
the  chief  administrative  office,  the  security  director,  and  the  IS  director- 
should  be  promulgated  by  the  chief  executive  officer.  Policy  with  respect  to 
personnel  should  include: 

Organization  policy,  including  the  security  director's  placement  within 
the  organization,  responsibilities,  and  authority. 
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EXHIBIT  111  —  1 


DEFENSE  AGAINST  POSSIBLE  THREATS  TO 
CORPORATE  INFORMATION  SYSTEMS 


Hardware   

Reliability 

Software   

Reliability 

Communications 
Reliability 

Applications 
Reliability 

Human 
Reliability 


Good  Operational  Practices 
and  Adequate  Budget 

Personnel 


Legal  Requirements 
Social  Responsibility 
Libel  Suits 
Bomb  Threats 
Intense  Competition 
New  Responsibilities 


Espionage 


Operating  System 


Fraud 


Strikes 
and  Work 
Stoppages 


Sabotage 


Windstorm 
Hurricane 
Tornado 
Earthquake 
Flood 
Lightning 


Access 
Controls 


nput/ 
Output 


Programs 


Data  Base 


Communi- 
cations 


Storage 


Physical  Security 


Good  Operational  Practices 
and  Adequate  Budget 


Ice  and  Snow 
Mischief 
Rain  and  Mud 


Theft 


Fire  and  Water 


Industrial  Accident 

Loss  of  Power 

Communication 

Water 

Sewer 


— ►  Threat 
Defense 
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Hiring  practices,  including  interview  and  thorough  background  checking 
for  all  personnel.  Managers  that  are  involved  with  developing  and  using 
corporate  information  systems  and  software  should  not  be  excepted. 

Termination  practices,  including  firing  for  cause,  security  debriefings, 
and  termination  interviews. 

A  code  of  conduct,  including  security  reviews,  conflict  of  interest,  non- 
disclosure, and  sanctions. 

c  Development,  communication,  and  implementation  of  corporate  security 
policies  is  analyzed  in  the  following  sections  of  this  chapter. 

B.       A  WELL-PLACED  SECURITY  DIRECTOR 

•  Each  new  generation  of  computer  technology  gives  birth  to  new  professional 
positions.  The  computer  security  expert  evolved  along  with  third-generation 
technology  (i.e.,  IBM  360,  DEC  VAX)  sometime  between  1968  and  1972. 
Today,  increasing  computer  power,  especially  via  personal  computers  in  the 
end-user  environment,  is  rapidly  accelerating  the  importance  of  information 
system  security. 

•  The  functions  of  a  well-administered  security  program  are: 

Avoidance  of  loss  through  risk  removal  (such  as  background  investiga- 
tion prior  to  hiring). 

Deterrence  of  financial  fraud  through  separation  of  duties  and  security 
briefings. 
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Prevention,  such  as  with  use  of  physical-access  control  devices  (e.g., 
card-activated  turnstiles  and  doors). 

Detection  through  the  use  of  auditing. 

Recovery  through  disaster  recovery  services,  insurance,  and  legal 
proceedings. 

Correction  through  security  review  and  software  change  control 
procedures. 

A  must  for  a  successful  corporate  security  program  is  the  selection  and 
strategic  placement  of  a  well-qualified  information  system  security  director. 

At  the  minimum  the  security  director  must  report  directly  to  the  top  IS 
executive,  or  more  ideally  to  the  corporate  executive  responsible  for  overall 
corporate  security  (with  a  close  interface  to  the  IS  director). 

Information  security  directors  should  have  both  an  understanding  of  the 
information  system  and  of  the  business  in  general.  A  senior  information 
system  analyst/programmer  having  prior  experience  in  a  major  operating 
department  is  a  preferred  candidate. 

Managing  information  system  security  successfully  requires  experience  in  and 
understanding  of  the  interplay  among  systems  development,  audit,  users, 
senior  management,  and  information  systems  operations. 

The  security  director  serves  as  liaison  between  senior  management  and  end 
users.  However,  the  director's  first  loyalty  is  to  senior  management.  Close 
working  relationships  with  IS  and  Audit  are  essential. 

Information  security  should  be  the  security  director's  sole  responsibility. 
Information  security,  including  disaster  recovery,  needs  full-time  attention. 
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•  To  be  successful  a  security  director  must  be  supported  by  top  corporate 
management. 

C.       PEOPLE-RELATED  SECURITY  FACTORS 

•  Since  one  is  now  operating  in  an  information  environment  where  the  number 
of  users  having  access  to  corporate  information  is  rapidly  rising,  personnel 
security  factors  are  likely  to  be  the  most  cost-effective  alternative  to  con- 
trolling system  and  software  security.  The  following  factors  are  considered 
baseline  with  respect  to  reducing  people-related  risk  to  an  operationally 
acceptable  level: 

I.       BACKGROUND  INVESTIGATION 

•  As  a  major  method  of  avoidance,  background  investigations  are  worthwhile  for 
new  employees,  contractor  personnel,  vendor  personnel,  consultants,  and  on  a 
periodic  basis  for  anyone  in  a  position  of  trust. 

•  To  avoid  possible  legal  (or  other,  such  as  union)  problems,  authorization  for 
background  investigations  should  be  obtained  as  part  of  the  employment 
application  or  vendor  contractual  agreement. 

•  Background  investigations  are  usually  performed  by  an  outside  agency,  such  as 
Equifax.  Equifax,  a  company  specializing  in  insurance/credit  investigation, 
interviews  employers,  co-workers,  neighbors,  and  researches  public  records. 
Equifax  charges  $20-$  1 00/person. 

•  Items  for  verification  are  education,  prior  work  experience,  criminal  convic- 
tions (if  any),  opinions  of  qualified  people  who  know  the  candidate,  and 
employer  performance  reports. 
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•  Under  most  circumstances  full  disclosure  of  the  findings  to  the  prospective 
employee  (with  an  opportunity  for  rebuttal)  is  recommended  policy. 

2.  EMPLOYEE  HIRING  PROCEDURES 

•  Before  hiring  an  employee,  an  agreement  of  confidentiality,  a  patent  agree- 
ment, and  an  acknowledgement  of  a  professional  code  of  conduct  should  be 
executed. 

•  An  initial  briefing  on  security  should  be  scheduled  soon  after  the  candidate  is 
hired. 

3.  CORPORATE  INFORMATION  SECURITY  POLICY 

•  The  corporate  information  security  policy  should  establish  goals,  objectives, 
requirements,  and  responsibilities  promulgated  by  the  CEO. 

•  A  visible  and  enforceable  information  security  policy  indicates  a  top- to- 
bottom  commitment  to  security  and  represents  a  primary  form  of  security 
deterrence. 

•  To  be  effective,  security  policy  must  be  kept  current. 

4.  EMPLOYEE  EDUCATION 

•  Perhaps  no  other  factor  has  greater  cost-effectiveness  than  small  and  fre- 
quent security  briefings  to  all  levels  of  the  corporate  organization.  Typical  of 
educational  policies  is  that  of  Chevron  Oil  Company: 

As  part  of  its  consciousness-raising  effort,  Chevron  conducts  a  series 
of  two-hour  presentations  and  demonstrations  that  familiarize  top 
managers  with  security  issues.  Topics  include  personal  computers, 
timesharing,  data  base  access,  and  mainframes. 
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The  seminars  are  presented  to  small  groups  of  between  six  and  eight 
executives. 

5.  SECURITY  PERFORMANCE  EVALUATION 

q  A  security  performance  evaluation  should  be  explicitly  included  as  part  of  job 
performance  and  merit  increase  reviews.  A  review  includes  managers' 
assessments  of  employee  support  and  of  adherence  to  corporate  security 
policies. 

•  Suggestions  from  employees  and  other  interested  parties  should  be  solicited, 
reviewed  with  the  security  director,  and  acted  upon. 

6.  CODE  OF  CONDUCT 

•  A  code  of  conduct  for  all  employees,  contractors,  and  consultants  covers  rules 
of  behavior  to  protect  the  organization  from  potential  losses. 

•  A  code  of  conduct  should  be  explicit  in  describing  sanctions  that  will  be 
applied  in  response  to  code  violations. 

•  The  code  should  be  reviewed  periodically,  such  as  at  security  briefings  or  at 
performance  reviews. 

•  It  is  advisable  to  have  employees  (etc.)  acknowledge  the  code  by  signing  it. 

•  A  typical  code  of  conduct  for  information  processing  is  shown  in  Exhibit  111-2. 

7.  SEPARATION  OF  DUTIES 

•  Employee  duties  should  be  assigned  with  security  in  mind.  Duties  should  be 
separated  to  minimize  the  lone  employee's  ability  to  engage  in  criminal 
activity  without  detection. 
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EXHIBIT  1 1 1  —  2 
INFORMATION  SYSTEMS  CODE  OF  CONDUCT 


The  information  systems  department  is  entrusted  with  computer  programs, 
supplies,  data,  documentation,  and  facilities  that  are  continuously  growing  in 
size  and  value.  We  must  maintain  visible  standards  of  performance,  security, 
and  conduct  that  aid  in  our  efforts  to  assure  the  integrity  and  protection  of 
these  assets.  The  following  policy  should  be  used  in  conducting  on-the-job 
activities.  The  success  of  this  program,  however,  requires  that  each  member 
of  the  information  systems  organization  maintain  an  awareness  of  the  value  of 
the  information  with  which  he  or  she  has  been  entrusted.  Violation  of  this 
trust  is  grounds  for  disciplinary  action,  including  immediate  dismissal.  IS  must: 

•  Conduct  all  activities  to  preclude  any  form  of  dishonesty,  such  as  theft  or 
misappropriation  of  money,  equipment,  supplies,  documentation,  computer 
programs,  or  computer  time. 

•  Avoid  any  act  that  compromises  integrity,  such  as  falsification  of 
records  and  documents  or  unauthorized  modification  of  production  programs 
and  files.    Refuse  gratuities  from  vendors,  agencies,  or  other  resources. 

•  Avoid  any  act  that  may  create  a  dangerous  situation,  such  as  carrying  a 
concealed  weapon  on  organization  premises;  assaulting  another  individual; 
or  disregarding  property,  safety,  and  security  standards. 

o    Not  use  intoxicating  liquors,  narcotics,  or  drugs  while  at  work.  Employees  must 
not  report  to  work  while  under  the  influence  of  same,  or  in  any  other  way 
report  in  a  condition  unfit  for  work. 

•  Maintain  courteous  and  professional  relations  with  users,  associates,  and 
supervisors.  Perform  job  assignments  as  requested  by  supervisors  or 
management  and  do  so  within  the  standards  of  performance  and  security. 
Report  any  observed  violations  of  conduct  or  security  as  soon  as  possible. 

o    Adhere  to  the  no-solicitation  rule,  and  all  other  employment  policies. 

•  Protect  the  confidentiality  of  sensitive  information  with  regard  to  competi- 
tive positions,  trade  secrets,  or  assets. 

•  Exercise  sound  business  practice  in  the  management  of  company  resources, 
such  as  personnel,  computer  usage,  outside  services,  travel,  and 
entertainment. 
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There  should  be  multiple  control,  whereby  one  person  initiates  the  task, 
another  verifies  correctness,  and  a  third  is  held  accountable  for  the  total 
task.  This  is  a  useful  method  where  highly  sensitive  information  is  involved. 

Job  rotation  is  another  means  of  stopping  and  uncovering  ongoing  fraud. 

Mandatory  vacation  policies  can  be  used  to  interrupt  continuity  and  to  expose 
ongoing  fraud. 

TERMINATION  PROCEDURES 

Termination  for  cause  requires  immediate  removal  of  the  employee  from  a 
position  of  trust. 

Terminated  employees  should  receive  a  debriefing  with  explicit  explanation  of 
ex-employee  responsibilities,  such  as  maintaining  confidentiality  of  trade 
secrets  and  other  competitive  information.  A  terminating  agreement  should 
be  signed  and  executed. 

A  security  director  should  ensure  that  material  such  as  access  cards  and 
software  documents  are  returned,  and  that  necessary  computer  access  pass- 
words and  secret  keys  are  changed. 
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IV       ESTABLISHING  A  SOFTWARE  SECURITY  METHODOLOGY 


A.       SOFTWARE  SECURITY  ADMINISTRATION 

1 .  SOFTWARE  DESIGN  AND  DEVELOPMENT 

•  Security  aspects  of  the  design  and  development  of  software  are  covered  in 
detail  in  Chapter  V,  Designing  for  Secure  Software. 

2.  DOCUMENTATION  CONTROL 

•  Secure  software  administration  requires  that  software  documentation  and 
control  be  established  as  the  separate  responsibility  of  a  software  librarian. 
The  librarian  is  responsible  for  maintaining  the  software  library  in  paper  and 
magnetic  form  in  source  language,  for  logging  copies  in  and  out,  and  for 
duplicating  software  documentation  in  any  form. 

•  It  is  essential  that  obsolete  or  duplicate  text  and  other  paper  documentation 
of  critical  programs  be  shredded  to  avoid  scavenging. 

•  Terminated  employees  should  be  required  to  check  out  with  the  software 
librarian  for  clearance  as  part  of  the  termination  procedure. 
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FIRE  PROTECTION 


•  The  software  library  is  best  protected  from  fire  through  the  use  of  a  halon 
fire  control  system.  Because  of  its  chemistry,  halon  poses  the  least  threat  to 
people,  magnetic  media,  and  paper. 

4.  DISASTER  RECOVERY 

•  Software  recovery  procedures  are  a  critical  part  of  any  disaster  recovery 
plan.  Two  backup  copies  of  the  complete  software  library  are  required  and 
should  be  stored  at  separate  locations.  In  the  event  of  disaster,  a  backup  set 
of  the  complete  software  will  still  exist  while  one  set  is  being  used  to  restart 
system  operations. 

•  A  further  level  of  security  can  be  obtained  by  encrypting  the  software  library 
prior  to  transmission  or  delivery  to  off-site  locations. 

5.  LEGAL 

•  Legal  aspects  of  software  protection  include  patents,  copyrights,  and  "trade 
secrets." 

•  Establishing  patent  rights  to  software  is  extremely  difficult.  Copywriting  a 
program,  whether  by  statutory  or  common  law,  offers  a  degree  of  protection 
that  has  in  some  notable  instances  been  successfully  enforced,  but  (partic- 
ularly in  the  microprocessing  software  area)  has  been  largely  avoided. 

•  Tort  law  is  viewed  by  many  as  the  best  alternative  form  of  legal  protection 
for  "trade  secrets."  Courts  have  applied  a  reasonably  standard  set  of  tests  to 
determine  the  legality  of  trade  secrets  and  whether  the  trade  secret  has  been 
used  in  an  unfair  or  improper  way. 
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6.  INSURANCE 


•  Insurance,  "a  sleeping  giant,"  is  expected  to  have  a  positive  effect  on  the 
security  problem.  Insurance  requirements  promote  formalization  and  stan- 
dardization of  security  methodologies  and  increase  top  management  aware- 
ness of  information  system  security  at  all  organizational  levels. 

B.       OPERATIONAL  SOFTWARE  SECURITY  OPTIONS 

•  Each  of  the  operational  software  security  options  shown  in  Exhibit  IV- 1  inde- 
pendently offers  a  level  of  security  protection.  The  greatest  level  of  security 
is  obtained,  as  will  be  discussed  below,  by  layering  multiple  options  to  make 
the  cost  of  penetration  prohibitive. 

I.  PASSWORDS 

•  Passwords  are  perhaps  the  lowest  form  of  security  protection  from  unauthor- 
ized access  or  modification  of  corporate  information  software. 

•  Password  capability  is  provided  by  virtually  all  operating  systems. 

c  Passwords  can  be  user  created  or  (preferably)  security  system  assigned.  A 
secure  means  of  mapping  the  user  to  the  assigned  password  is  essential. 

•  Encrypting  the  password  resident  in  operating  system  tables  adds  a  level  of 
security  without  sacrificing  operating  efficiency. 

•  Passwords  should  be  changed  frequently  and  at  irregular  intervals. 

•  Passwords  are  easily  determined  by  a  determined  hacker. 
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EXHIBIT  IV-1 
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TERMINAL  IDENTIFIER 


•  Selective  terminals  have  the  ability  to  be  uniquely  (a  high  probability)  identi- 
fied as  input-output  resources,  either  in  the  direct  access  or  dial-in  mode. 

©  Some  terminals  have  the  capability  of  reading  magnetic  stripe  cards  con- 
taining user  IDs  to  identify  the  user  at  a  particular  terminal  as  having  the 
right  to  access  or  modify  corporate  information  software. 

o  A  password  is  an  identifier  (preferably  system  generated  and  assigned)  giving 
right  of  access  to  system  resources.  A  password  is  usually  (but  not  neces- 
sarily) assigned  to  one  use.  A  personal  ID  is  a  secret  value  that  is  known  only 
to  the  user  and  separately  supplied  to  the  security  monitor  that  uniquely 
identifies  a  user. 

•  Passwords,  personal  IDs,  and  terminal  identifiers  can  be  combined  to  add 
another  level  of  operational  software  security. 

3.       SECURITY  MONITORS 

o  Another  dimension  of  operational  software  security  can  be  obtained  by  using  a 
security  monitor  on  top  of  existing  operating  systems.  Security  monitors  are 
software  packages  that  reduce  the  frequency  of  unauthorized  access  or 
improper  use  of  corporate  information  system  resources. 

•  Some  of  the  more  popular  security  software  packages  for  IBM-compatible 
mainframes  are  shown  in  Exhibit  IV-2.  Security  monitors  differ  in  function, 
for  example: 

ALERT  and  SECURE  are  targeted  for  protecting  against  unauthorized 
access  from  the  interactive  terminal  or  CICS  environment. 


-  27  - 

1984  by  INPUT.  Reproduction  Prohibited.  INPUT 


EXHIBIT  IV-2 
LEADING  SECURITY  MONITORS  FOR 
IBM  PLUG-COMPATIBLE  SYSTEMS 
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ACF  2  and  TOP  SECRET  offer  great  flexibility  in  discretionary  access 
policy,  whereas  RCAF  implements  an  inflexible  and  mandatory  security 
policy. 

Only  ACF2  and  SECURE  have  versions  compatible  with  the  VM  oper- 
ating system. 

TOP  SECRET  and  ALERT  are  the  only  packages  that  do  not  require 
changes  to  the  operating  system  upon  installation. 

Security  monitors  require  a  security  administrator  to  map  the  relationship 
between  users  and  resources.  The  matrix  is  then  stored  (often  encrypted)  in  a 
protected  area  of  the  security  monitor. 

Security  monitors  attempt  to  solve  deficiencies  in  operating  systems  that 
have  not  been  designed  with  security  in  mind.  As  such,  security  monitors  are 
vulnerable  to  a  determined  hacker. 

Discussion  of  the  design  of  secure  operating  system  software  is  presented  in 
Chapter  V,  Designing  for  Secure  Software. 

Advanced  security  monitors  provide  for  the  capability  of  implementing 
security  policies  that  are  discretionary,  mandatory,  or  a  combination  of  both. 

Discretionary  policy  allows  a  specific  user  or  process  to  create  objects 
(i.e.,  files)  and  then  specify  who  has  access  to  them. 

Mandatory  security  policy  establishes  a  hierarchy  of  security  classifi- 
cations as  a  basis  for  determining  access. 

Effective  security  monitors  are  easy  to  install  (i.e.,  require  few  if  any  oper- 
ating system  modification),  are  efficient  (i.e.,  low  system  overhead),  are  on- 
line and  flexible  with  respect  to  the  security  administrator,  and  are  capable  of 
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mapping  terminals  and  users  to  both  system  resources  (i.e.,  processors  and 
peripherals)  and  objects,  including  software,  data  bases,  files,  records,  and 
data. 

Security  can  be  increased  by  providing  both  software  memory  protection  (i.e., 
ensuring  that  processes  are  limited  to  a  memory  segment)  and  execution 
domains  (a  hierarchy  of  executable  system  processes).  These  functions  are 
more  efficiently  implementable  in  hardware.  (See  Chapter  VI,  The  Microcom- 
puter and  Software  Security.) 

Security  monitors  vary,  as  shown  in  Exhibit  IV- 1,  in  their  ability  to  interface 
with  operating  systems,  protect  local  and  dial-in  data  communication  sub- 
systems, control  system  software  functions,  and  provide  levels  of  password 
support. 

Security  monitors  are  generally  good  at  providing  audit  trails.  Audit 
capability  includes: 

System  access. 

Access  Attempts. 

Resource  use. 

Security  violations. 

Interrelationship  between  users  and  resources. 

On-line  monitoring  of  suspected  violators. 

Effective  security  monitors  disconnect  both  unattended  terminals  (after 
preselected  or  varied  times)  and  users  who  make  repeated  (i.e,  more  than  two) 
unsuccessful  attempts  to  access  the  system  from  the  same  terminal. 
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ENCRYPTION 


Encryption  is  an  effective  way  to  protect  system  and  software  from  active 
intrusion. 

Encryption  is  particularly  effective  in  cases  of  remote  access,  program 
transmission,  downloading,  program  library,  and  outside  program  storage. 

There  are  currently  some  major  drawbacks  to  the  widespread  use  of  encryp- 
tion for  commercial  systems. 

Encryption  systems  tend  to  be  expensive. 

Encryption  tends  to  degrade  system  performance. 

Secret  key  generation  and  distribution  need  careful  administrative 
attention. 

Encryption  can  be  accomplished  through  software  products,  through  security 
modules  including  specialized  micro  chips,  and  through  completely  automated 
electronic  systems  that  include  key  management. 

The  most  widely  used  single  key  encryption  system  uses  as  an  algorithm  the 
Digital  Encryption  Standard  (DES)  promulgated  by  the  National  Bureau  of 
Standards  (NBS).  The  64-bit  key  (56  data  bits  plus  8  parity  bits)  ensures  that 
the  current  cost  of  key  discovery  is  prohibitive. 

By  using  multiple  encryption,  master  and  subset  key  management  systems 
permit  secure  transfer  through  multilevel  nodes  within  corporate  information 
systems.  A  major  problem  is  the  complexity  of  key  generation,  distribution, 
and  management. 
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Another  method  of  public-key  encryption  utilizes  two  keys  related  by  a  one- 
way function.  This  method  permits  one  key  to  be  published  to  all  interested 
parties.  The  key  management  problem  is  significantly  reduced,  but  there  are, 
at  the  present  time,  greatly  increased  computational  requirements  to  encrypt 
the  information  for  transmission,  storage,  etc.  INPUT  expects  that  within 
two  years  an  effective  electronic  solution  will  be  forthcoming. 

TELEPHONE  ACCESS  CONTROLLERS 

Telephone  access  controllers  interpose  between  remote  dial-up  terminals  and 
the  host  computer  dial  access  ports,  as  shown  in  Exhibit  IV-3.  The  controllers 
do  not  wait  for  an  unauthorized  user  to  gain  computer  access  before  enacting 
countermeasures.  Access  is  denied  to  the  computer  if  a  user  does  not  dial 
from  a  previously  authorized  location  or  does  not  enter  the  correct  access 
code. 

Access  controllers  operate  in  an  analog  mode.  The  controller  does  not 
acknowledge  that  it  is  being  accessed.  The  user  keys  in  a  valid  location 
identification  number  (LIN).  The  access  controller  then  answers  with  an 
acknowlegement  tone  or  message  and  both  the  user  and  the  unit  disconnect. 

Within  approximately  15-20  seconds  the  controller  calls  a  preselected  tele- 
phone number  and  interconnects  the  terminal  at  that  number  with  the 
computer  modem,  permitting  the  user  to  initiate  the  sign-on  procedure. 

Typical  controllers  handle  32-64  incoming  lines,  and  include  additional 
features,  such  as  hard  copy  audit  trail  and  time-dependent  callback  pro- 
gramming. 

Since  the  initial  interface  to  the  dial-up  terminal  is  analog,  the  telephone 
access  controllers  are  relatively  secure  from  external  attack. 
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EXHIBIT  IV-3 
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Some  controllers  track  and  audit  each  remote  interconnection  from  terminal 
modem  to  computer  modem,  thus  ensuring  that  a  valid  sign-on  has  been 
accomplished. 

Most  controllers  have  the  ability  to  handle  up  to  four  simultaneous  calls  and 
the  queuing  of  28  others. 

It  is  possible  to  use  a  telephone  access  controller  in  conjunction  with  the 
encryption  equipment  shown  in  Exhibit  IV-2  to  provide  an  even  higher  level  of 
computer  software  security.  Telephone  access  controllers  are  usually 
programmmed  through  a  dedicated  terminal.  Some  can  also  be  programmed 
through  a  remote  terminal,  where  the  remote  terminal  is  protected  from 
unauthorized  access  by  a  single  access  controller  having  a  preprogrammed 
callback  procedure. 

SMART  CARDS 

A  smart  card  consists  of  a  plastic  card  in  which  is  embedded  a  customized 
chip  comprising: 

A  microprocessor  with  interfaces  for  memories  and  communication 
with  the  outside  world. 

Scratch  pad  memory  (random  access). 

A  program  memory  (read  only). 

A  "user  memory"  (programmable  read-only  memory). 

There  is  no  internal  power  source.  The  microprocessor  is  passive  until  the 
card  is  inserted  into  a  terminal. 
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The  user  memory  is  under  exclusive  control  of  the  micro-program  in  the  read- 
only memory.  During  the  last  stage  of  manufacturing  process  the  user 
memory  is  divided  into  areas  with  different  rights  of  access,  as  shown  in 
Exhibit  IV-4. 

After  initialization,  the  contents  of  the  secret  area  cannot  be  accessed  exter- 
nally. Information  stored  in  the  secret  area  is  accessible  for  internal  use 
only.  The  secret  area  is  used  to  store  authentication  codes  of  the  card  issuer, 
a  personal  card  holder  identification  code,  and  encryption  keys. 

Access  to  the  confidential  area  is  protected  by  the  secret  codes  of  the  card 
issuer  and  the  card  holder. 

No  restrictions  exist  in  accessing  the  open  memory. 

The  user  will  insert  the  card  in  the  terminal  and  enter  the  password  (personal 
identification  number),  which  will  be  stored  in  encrypted  form  in  the  confi- 
dential memory.  If  one  utilizes  a  one-way  algorithm  (involving  keys  stored  in 
the  secret  memory  and  the  user's  identification  number)  and  transmits  the 
result  encrypted  between  the  terminal  and  the  host  system,  it  can  be  deter- 
mined that: 

The  card  is  valid. 

The  user  is  properly  identified  (with  high  probability). 

The  user  is  connected  to  a  valid  host  processor. 

A  further  level  of  security  can  be  achieved  by  adding  an  electronic  signature 
consisting  of  a  sequence  number  (including  a  date-time  group)  in  the  trans- 
mitted information,  thus  encrypting  the  information  utilizing  the  secret 
authentication  key. 
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EXHIBIT  IV-4 


SMART  CARD  FUNCTIONAL  DESIGN 
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The  technology  makes  falsification  very  difficult.  Fraud  requires  an  advanced 
chip  manufacturing  facility  and  possession  of  proprietary  information  from 
the  chip  manufacturer,  the  card  manufacturer,  and  the  card  issuer. 

OTHER  TECHNOLOGY 

The  other  technology  under  development  promises  to  tie  user  identification  to 
unchanging  personal  characteristics.  Technologies  that  strengthen  the  identi- 
fication process  are: 

Fingerprints:  matching  stored  information  with  active  finger  impres- 
sions using  holography. 

Hand  Geometry:  matching  stored  information  about  palm  lines  using 
holography. 

Signatures:  matching  stored  digitized  patterns  of  signatures  with 
dynamic  analysis  of  handwriting. 

Voice  prints:  matching  digitized  information  with  digitized  speech 
sound  waves. 

These  technologies  have  been  reviewed  in  the  INPUT  report  shown  in 
Appendix  B. 

Although  promising,  none  of  the  above  technologies  is  yet  sufficiently  reliable 
or  economically  viable. 
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V        DESIGNING  FOR  SECURE  SOFTWARE 


A.       SYSTEMS  SOFTWARE 

I .       OPERATING  SYSTEMS,  THE  KEY  TO  INFORMATION  SECURITY 

•  To  date,  the  best  approach  for  designing  secure  operating  systems  is  the 
security  kernel  concept. 

•  A  smaller,  less  complex,  and  more  easily  verifiable  security  module  is  possible 
by  separating  the  security-re  I  event  functions  of  the  operating  system  into  a 
kernel. 

•  The  security  kernel  is  a  reference  monitor  that  checks  the  legality  of  every 
reference  between  user  (subject)  and  resource  (object).  Included  are 
programs,  files,  terminals,  printers,  etc. 

•  The  security  kernel  mediates  every  access  to  protected  resources.  By 
isolating  the  security  kernel  from  the  rest  of  the  operating  system,  the 
module  can  be  more  effectively  protected  from  users  and  system  pro- 
grammers. 

•  The  greatest  difficulty  has  been  in  verifying  that  security  kernels  operate  and 
that  they  implement  security  policy  correctly. 
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Security  kernels  implement  discretionary  or  mandatory  (or  a  combination  of 
both)  security  policies.  Discretionary  policy  allows  the  user  or  security 
officer  to  specify  objects  and  who  has  access  to  them.  As  shown  in  Exhibit  V- 
I,  discretionary  policy  is  implemented  as  either  a  security  matrix  or  as  an 
access/control  list  that  is  related  to  each  protected  object.  Accounting 
personnel  can  only  read  information  in  File  B,  whereas  user  3  (department 
head)  can  either  read  from  or  write  into  File  B. 

As  implemented  by  the  security  officer,  mandatory  security  policy  establishes 
several  classifications  (such  as  "secret"  or  "confidential")  of  the  user's  level  of 
clearance  and  of  the  resources  (object).  Security  may  further  subdivide 
categories  of  both  on  the  basis  of  "need  to  know." 

Memory  protection  (that  is,  preventing  one  process  from  changing  another)  is 
an  architectural  key  for  system  software  security.  The  efficiency  of  memory 
protection  (and  of  a  secure  operating  system)  is  directly  related  to  hardware 
features  that  permit  dividing  a  virtual  memory  into  segments  that  are  access- 
ible through  descriptors.  As  shown  in  Exhibit  V-2,  another  layer  of  informa- 
tion system  security  is  provided  through  the  implementation  of  "execution 
domains"  in  software,  hardware,  or  firmware.  Again,  secure  system  perform- 
ance is  highly  dependent  on  hardware  features,  with  three  domains  essential 
for  efficient  operation. 

The  most  privileged  is  the  security  kernel;  it  implements  the  basic 
security  mechanism. 

Software  (such  as  for  user  identification,  authentication,  and  security 
auditing)  is  closely  related  to  the  security  kernel;  it  is  carefully  veri- 
fied and  if  possible  proven  correct.  This  software  runs  either  in  its  own 
domain  or,  in  a  three-domain  system,  in  the  operating  domain. 

Execution  domains  restrict  the  access  of  programs  in  less  privileged  domains 
to  a  few  well-defined  interfaces  with  more  privileged  domains. 
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EXHIBIT  V-1 


IMPLEMENTATION  OF  DISCRETIONARY  SECURITY  POLICY 


MATRIX  CONTROL 


OBJECTS 


Subjects 

User  1 
User  2 


Y< 


^ 


Read 
Write 
Execute 


Accounting 
User  3 
Application  1 
Application  n  i 


Execute 


Read 


Read 


Read 
Write 


Read 
Write 


Read 


Read 
Write 


LIST  CONTROL 


Access  Control  List 


User  1  Read 


Accounting  Read 


User  3   Read  Write 


File 

B 

it 


I 
J 


=  Discussed  in  Text 


-41  - 

©1984  by  INPUT.  Reproduction  Prohibited. 


EXHIBIT  V-2 

SECURE  INFORMATION  SYSTEMS  EXECUTION  DOMAINS 
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The  security  monitors  shown  in  Exhibit  IV-2  provide  discretionary  security  as 
an  add-on  feature  to  IBM  mainframe  operating  systems.  Secure  operating 
system  implementations  on  most  current  mainframe  architectures  have 
proved  too  inefficient  for  commercial  use.  Supported  by  both  memory  protec- 
tion and  executive  domain  hardware,  the  SCOMP  operating  system,  running  on 
Honeywell's  level  6/DPS6  system,  is  perhaps  an  exception. 

Secure  versions  of  UNIX  implemented  on  minicomputers  and  microprocessors 
are  expected  within  the  next  year.  (See  Chapter  VI,  The  Microcomputer 
Software  Security,  for  discussion  of  the  Intel  iAPX286.) 

DATA  BASE  MANAGEMENT  SYSTEMS,  A  PROBLEM  AREA 

Data  base  management  systems  (DBMSs)  allow  many  people  to  have  access  to 
different  types  of  data,  most  frequently  in  a  "user  friendly"  manner.  Whereas 
security  monitors  with  operating  systems  control  access  to  the  file  and  record 
(program)  level,  DBMS  systems  can  add  information  system  security  down  to 
the  data  level. 

The  data  base  administrator  (security  officer)  defines  access  and  use  of  all  but 
local  user  data. 

Two  approaches  to  security  access  are  utilized  by  DBMSs:  explicit  and  con- 
strained. In  explicit  systems  only  defined  user/data  set  relationships  are 
effective;  users  can  have  access  to  all  other  resources. 

In  constrained  systems,  unless  the  data  base  administrator  authorizes  an 
individual  (program)  to  perform  an  operation,  no  one  but  the  administrator 
(super  user)  can  access  or  manipulate  the  information.  Care  must  be  taken 
with  constrained  systems  such  that  security  does  not  become  a  bottleneck  to 
efficient  DBMS  use. 
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Access  to  DMBS  resources  may  be  enforced  through  either  a  set  of  flexible 
authorization  rules  or  through  more  formal  data  classification  schemes. 
Authorization  rules  that  control  user  access  can  be: 

User  specific. 

Time  specific. 

Logical  subsets  of  rows  or  columns. 

Specific  DBMS  operations. 

Query  languages  (powerful  tools  for  retrieving,  appending,  replacing,  deleting, 
and  aggregating  DBMS  information)  are  frequently  used  for  defining  and 
enforcing  authorization  rules.  For  example  and  as  shown  in  Exhibit  V-3,  the 
query  system  arbitrates  each  request,  filtering  through  such  portions  as  are 
authorized  for  access  and  response,  thereby  denying  the  user  knowledge  of 
protected  information. 

Although  some  constraints  (such  as  references  to  single  records)  are  possible, 
security  with  respect  to  statistical  data  bases  remains  a  significant  problem. 
Clever  computer  hackers  can  successfully  extract  valuable  information 
(programs)  through  successive  queries  that  form  valid  authorizations. 

The  basic  objective  of  security  with  respect  to  DBMSs  is  the  achievement  of  a 
high  level  of  security  without  compromising  system  performance  or  user 
friendliness. 
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EXHIBIT  V-3 


ARBITRATION  OF  USER  QUERIES 
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B.       APPLICATIONS  SOFTWARE 


•  Development  of  secure  application  software  uses  most  of  the  software  engi- 
neering practices  related  to  a  formal  design  methodology  and  structured 
programming. 

1.  DESIGN 

•  Development  of  secure  application  software  depends  on  establishing  clear 
interfaces  between  functions  (modules)  and  minimizing  information  transfer 
from  module  to  module. 

•  A  structured  design  utilizing  a  top-down  hierarchical  approach  is  a  favored 
design  methodology. 

•  Data  typing  that  relates  data  to  its  related  processes  (called  "data  abstrac- 
tion") allows  definition  of  small,  self-contained  modules.  Establishing  the 
module's  interface  allows  the  concept  of  encapsulation  (i.e.,  black  box)  or 
"information  hiding"  to  be  used  to  control  access.  Additional  function  can  be 
added  to  the  module  without  affecting  its  security  features. 

•  The  design  should  carefully  establish  the  least  privileged  access  to  modules, 
programs,  and  application  to  later  control  program  access  and  change. 

•  The  auditing  process  must  be  considered  as  integral  to  the  design  process. 

2.  PROGRAMMING 

•  Structured  programming  techniques  (where  each  module  has  one  entry  point, 
all  paths  within  the  module  are  active,  and  one  exist  point)  greatly  increase 
the  probability  of  successful  verification  and  increased  security. 
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•  A  level  of  security  can  be  achieved  by  assigning  portions  of  large  programs  to 
separate  programmers. 

•  When  the  program  is  completed  those  modules  related  to  control  should  be 
separated  from  procedures  so  that  following  validation  the  entire  program,  or 
at  least  control  modules,  can  be  encrypted. 

3.  VALIDATION 

•  Validation  should  be  accomplished  by  a  separate  group. 

•  The  validation  process  should  ensure  that  all  paths  of  each  module  are  active 
and  that  any  "trapdoors"  used  for  debugging  during  development  are  removed. 

•  Unusual  ranges  and  combinations  of  input  data  are  useful  for  uncovering 
results  not  specified  as  output. 

•  Checks  should  be  made  that  the  program  erases  scratch  pad  memory  and 
auxiliary  storage  as  the  last  process  before  termination. 

•  The  above  techniques  reduce  the  probability  of  "Trojan  horse"  attacks, 
whereby  someone  inserts  temporary  instructions  that,  under  select  conditions, 
execute  during  production  time,  breaching  software  or  data  security. 

•  The  validation  process  should  ensure  that  audit  trails  are  operational  and 
effective. 

4.  MAINTENANCE 

•  All  changes  to  operational  programs  should  go  through  formal  change  control 
procedures,  whereby  changes  are  made  at  regular  intervals,  are  done  on  a 
controller  basis,  and  are  properly  reviewed. 
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•  Periodically  the  production  program  should  be  compared  with  the  master  to 
ensure  that  the  production  copy  exactly  matches. 

•  Both  software  that  translates  known  object  code  back  to  source  (decompiler) 
or  assembly  (disassembler)  language  and  the  flow  charting  of  utility  programs 
help  to  maintain  application  software  security  by  ensuring  that  the  object 
code  does  not  contain  trapdoors  or  Trojan  horses. 
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VI 


THE  MICROCOMPUTER  AND  SOFTWARE  SECURITY 


•  Intelligent  terminals  (in  the  form  of  workstations,  word  processors,  and 
personal  computers)  (both  standalone  and  in  local  area  networks)  add  a  whole 
new  dimension  to  the  problem  of  corporate  information  system  and  software 
security. 

•  Technological  information  processing  innovations  may  well  be  outpacing 
technical  solutions  to  the  corporate  security  problem.  In  the  final  analysis, 
security  strategies  with  respect  to  people  may  form  the  major  bulwark  in 
protecting  the  corporate  investment  in  information  systems  and  software. 


A.  MANAGEMENT 


•  It  is  clear  that  management  must  establish  a  policy  with  respect  to  the 
procurement  of,  responsibility  for,  and  use  of  office  automation  equipment 
before  the  problem  gets  out  of  hand.  Limiting  the  type  and  variety  of  equip- 
ment and  storage  media  is  certainly  in  order. 

•  A  vigorous  education  program  (including  frequent  small  classes,  briefings,  and 
risk  assessments)  that  is  designed  to  heighten  awareness  is  likely  the  most 
cost-effective  strategy  for  maintaining  security  in  the  microcomputer/office 
automation  environment. 
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•  As  more  corporate  strategic  information  is  developed  on  magnetic  media  in 
the  user  environment,  management  will  be  forced  to  give  greater  attention  to 
security  issues,  for  example: 

Acquisition  strategies  (that  have  been  developed  in  draft  form  on  word 
processors  and  then  routed  through  LANs  to  executives)  could  theoret- 
ically be  intercepted  by  anyone  with  access  to  the  LAN. 

Corporate  investment  strategies  that  were  reproduced  by  the  chief 
financial  officer's  executive  secretary  and  now  reside  on  a  personal 
computer  flexible  disk  can  be  used  by  anyone  with  a  compatible 
system. 

•  Management  must  implement  strategies  by  which  the  individual  user  carries 
primary  responsibility  for  that  portion  of  the  corporate  information  system 
(including  hardware,  software,  and  data)  that  is  under  the  user's  direct 
control. 

•  Alternatively,  management  must  provide  users  with  appropriate  technical 
safeguards  as  outline  below. 

B.       DISTRIBUTED  PROCESSING 

•  Distributed  processing  offers  managers  and  staff  the  ability  to  use  local 
computer  power  to  better  meet  their  individual  processing  needs.  Although 
hardware  and  software  support  problems  increase  security  complexity,  dis- 
tributed processing  does  offer  several  advantages: 

Software  and  data  can  be  isolated  to  a  specific  functional  area  (i.e., 
personnel,  accounts  receivable,  etc.). 
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People  in  that  area  know  each  other  and  can  easily  recognize  intruders. 


Distributed  systems  require  great  attention  to  the  information  flow  within 
(LANs)  and  between  distributed  processing  nodes.  Technologies  exist,  and  are 
becoming  increasingly  and  more  economically  available,  to  respond  to  both 
active  and  passive  intrusion  into  the  distributed  processing  network. 

ENCRYPTION 

Where  encryption  is  used,  it  is  usually  important  that  the  information  passing 
through  nodes  (between  source  and  destination)  be  protected  from  unauthor- 
ized access  via  a  node. 

Public  key  encryption  systems  can  easily  be  applied  to  distributed 
processing  but,  at  the  present  time,  only  with  a  significant  loss  in 
system  efficiency.  Where  transmission  volume  is  small  (i.e.,  down- 
loading software),  a  public  key  system  can  be  highly  effective. 

Private  key  systems  (i.e.,  DES)  can  be  applied  to  distributed  systems 
utilizing  master/multiple-key  management  systems  utilizing  multiple 
encryption  methodologies. 

SIGNATURES 

In  a  distributed  network  it  is  often  necessary  to  identify  not  only  the  source 
(user)  but  also  the  receiver  (host,  node,  etc.).  The  receiver  should  be  identi- 
fied as  well  to  ensure  that  the  information  transmitted  is  valid  and  came  from 
the  identified  source. 

Authenticators  (which  are  one-way  functions  of  secret  information 
keys,  one  key  known  only  to  the  user  and  the  other  key  known  only  to 
the  host)  establish  trusted  (with  high  probability)  interconnections. 
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An  information  transmission  identifier  (sequence  number,  date,  and 
time  group)  that  is  properly  authenticated  ensures  (with  high  prob- 
ability) that  the  information  transmission  is  from  the  identified  user. 

3.       FIBER  OPTICS 

•  The  fiber  optic  medium  is  almost  impossible  to  tap  into.  As  such,  fiber  optics 
are  an  ideal  candidate  for  LANs  and  for  other  networking  applications. 

Fiber  optics  are  becoming  attractive  for  new  buildings  under  con- 
struction. 

Several  Bell  Operating  Companies  (BOCs)  are  developing  fiber  optic 
telecommunication  circuits. 

•  Fiber  optics  will  become  the  preferred  medium  of  transmission  (particularly 
for  LANs)  by  the  end  of  the  decade. 

C.       SYSTEM  AND  SOFTWARE  SECURITY 

I.  PHYSICAL 

•  Personal  computers  and  word  processors  are  tempting  targets  for  theft.  They 
are  even  more  attractive  than  typewriters. 

•  Depending  on  corporate  policy,  micro  workstations  can  be  secured  through: 

Anchor-pads. 

Lockable  power  switches. 

Lockable  equipment  enclosures. 
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•  Lockable  space  should  be  provided  to  users  for  storage  of  flexible  disks.  In  a 
sensitive  area  selected  disks  can  be  under  the  control  of  a  designated  librarian 
with  responsibility  for  ensuring  that  they  are  logged  in  and  out  to  the  appro- 
priate personnel. 

2.  ACCESS  CONTROL 

•  Early  personal  computer,  word  processing,  and  office  workstation  systems 
were  targeted  for  single-user,  single-program,  and  standalone  use.  As  such, 
little  need  was  seen  for  security  access  control. 

•  The  current  generation  of  microprocessors  provides  for  multifunction  and  on- 
line operating  environments.  Technical  solutions  to  security  access  problems 
are  just  beginning  to  appear. 

•  Vendors  are  offering  firmware  in  the  form  of  an  intelligent  programmable 
circuit  board  extension  to  IBM  PC-compatibles  and  other-vendor  PCs.  The 
firmware  provides  access  restriction  through  passwords,  encryption  methods 
for  data  and  software  protection,  audit  trail  of  computer  use,  and  methods  for 
either  local  or  central  security  control. 

3.  SECURE  MICROPROCESSOR 

•  Secure  operating  systems  have  long  been  held  as  the  key  to  system  and  soft- 
ware security.  All  operating  system  functions  related  to  system  security  have 
been  incorporated  in  what  is  called  a  security  "kernel."  (See  Chapter  V, 
Designing  for  Secure  Software.) 

•  Architectural  functions  necessary  to  support  protected  systems  based  on 
security  kernels  are: 

Support  for  multiple  processors. 


-53  - 

©  1984  by  INPUT.  Reproduction  Prohibited. 


INPUT 


Control  over  a  large,  segmented  virtual  memory. 

A  minimum  of  three  execution  domains. 

Control  of  access  to  input/output  devices. 

The  concept  of  a  secure  microprocessor  information  system  is  shown  in 
Exhibit  VI- 1.  The  ideal  processor  has  four  execution  domains,  the  most 
privileged  being  level  zero.  Lower  domains  are  prevented  from  executing 
system  functions  in  higher  domains. 

Intel  Corporation  has  developed  the  iAPX286  chip  with  the  architectural 
feature  outline  above,  which  reduce  by  a  factor  of  eight  the  overhead  in 
implementing  a  secure  information  system. 

INPUT  expects  that  a  secure  UNIX  microprocessor  operating  system  utilizing 
the  Intel  microprocessor  will  begin  appearing  in  intelligent  terminals  within 
the  next  two  years. 

SECURE  DISK  STORAGE 

In  an  effort  to  deter  software  piracy,  the  Association  of  Data  Processing 
Service  Organizations  (ADAPSO)  established  the  technical  guidelines  shown  in 
Exhibit  VI-2. 

The  most  successful  solution  today  appears  to  come  from  the  Vault  Corpora- 
tion with  its  PROLOK  disk.  The  process  places  a  special  hardware- 1  ike 
"fingerprint"  on  a  currently  conventional  5-1/4-inch,  double-density,  double- 
sided  diskette.  In  addition  to  the  identifier,  the  disk  contains  a  10,000-byte 
administrative  and  encoding  program  encrypted  by  the  same  process  used  to 
protect  the  software  that  the  user  (vendor)  later  loads. 
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EXHIBIT  VI -1 


SECURE  MICROCOMPUTER  INFORMATION  SYSTEM  FUNCTIONAL  DESIGN 


PL  3        PL  2        PL  1       Privilege  Level  0 
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EXHIBIT  VI-2 

ADAPSO  GUIDELINES  FOR  MICROCOMPUTER  SOFTWARE  SECURITY 


ITEM 

GUIDELINES 

Cost 

•  Low  to  end  user 

•  Cost  to  install  is  small  part  of  total  system  manufacturing 
cost 

Ease  of  Use 

•  Ease  of  installation 

•  Transparent  to  end  user 

•  No  effect  on  program  execution,  speed  or  performance 

•  No  complex  rules  or  keys  to  remember 

•  User  can  make  backup  copies 

1  nstallation 

•  Simple  for  manufacturers  to  install 

Availability 

•  Widely  available  to  all  software  publishers 

•  Can  be  used  with  all  types  of  software  requirements 

Hardware 
Requirements 

•  Can  be  used  on  all  floppy  disk  sizes  and  formats 

•  Minimal  use  of  RAM 

•  Can  be  used  on  hard  disk 

•  Used  on  wide  variety  of  microcomputers 

•  Transferal  to  other  computers 

•  Can  be  transferred  with  computer  to  new  owner 

Operating 
System 
Requirements 

•  Used  on  wide  variety  of  operating  systems 

•  Does  not  interfere  with  operating  system 

•  No  new  definitions  to  operating  systems 

Protection 

•  Provides  security  from  duplication  by  end  user 

•  Protects  software  from  external  duplication 
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The  program  loaded  onto  the  disk  has  been  encrypted  and  an  additional  3,000 
bytes  that  tie  the  program  to  the  fingerprint  encryption  process  have  been 
added. 

Neither  the  program  nor  the  operating  system  require  modification. 

The  encrypted  program  can  be  loaded  onto  a  hard  disk,  but  operating  the 
program  requires  the  presence  of  the  PROLOK  flexible  disk  to  decrypt  the 
program  resident  on  the  hard  disk. 

An  advanced  product  under  development  will  permit  the  program  to  be  shared 
(as  authorized)  among  users  in  an  LAN. 

A  hardware  technique  under  development  modifies  utilized  vendor  disk  drives 
to  create  software  diskettes  that  place  marginal-strength  pulses  in  selective 
locations  in  a  program. 

Personal  computers  are  able  to  read  the  weak  pulses  and  execute  the 
program,  but  the  pulses  are  too  weak  to  permit  copying  onto  another 
disk. 

The  technique  can  be  used  to  control  the  number  of  times  a  program  is 
used  before  it  becomes  inoperable. 
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SUMMARY 


A  combination  of  strategies  involving  motivating  people  and  selectively  using 
technology  are  necessary  to  protect  the  corporate  software  and  systems 
investment. 

A  flexible  approach  to  security  in  an  information  system  environment  that  is 
characterized  by  rapid  technological  change  and  increasing  user  involvement 
is  the  optimal  overall  strategy  to  pursue. 

This  study  has  shown  that  no  one  single  or  indeed  no  small  group  of  strategies 
can  ensure  adequate  protection  to  corporate  information,  including  software. 

The  most  important  specific  strategy  to  pursue  is  the  principle  of  layering  or 
putting  up  a  number  of  independent  (hopefully,  simultaneous)  roadblocks  that 
make  penetration  very  time  consuming  and  costly. 

The  dimensions  of  the  strategy  to  protect  the  corporate  investment  in  infor- 
mation systems,  software,  people,  administration,  and  technology  are  shown  in 
Exhibit  VII- 1 . 
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EXHIBIT  VI 1-1 


STRATEGIES  TO  PROTECT  THE 
CORPORATE  INFORMATION  SYSTEMS  AND  SOFTWARE  INVESTMENT 


PEOPLE  COUNT 

•    Top  Management  Responsible 

•    Security  Director 

•    Background  Investigation 

•    Hiring  and  Termination 
Procedures 

•    Corporate  Security  Policy 

•  Education 

•    Personal  Security 
Evaluations 

Code  of  Conduct 

Separation  of  Duties 


ADMINISTRATION 
NECESSARY 

•    Documentation  Control 
•    Fire  Protection 
•    Disaster  Recovery 
Legal 
Insurance 


TECHNOLOGY, 
THE  CORE  DEFENSE 

•  Passwords  and  Terminal  IDs 

•  Security  Monitors 

•  Telephone  Access  Controllers 

•  Smart  Cards 

•  Encryption 

•  Fiber  Optics 

•  Secure  Microprocessors 

•  Secure  Microdisk  Storage 

•  Security  Operating  System  Kernels 

•  Formal  Design  Methodologies 

•  Structured  Programming 

•  Change  Control 
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PEOPLE  COUNT 


Involvement  of  top  management  is  a  must  in  order  for  corporate  information 
systems  and  software  security  to  be  effective. 

Selection  and  placement  of  a  security  director  (backed  by  management)  is 
critical  to  security  planning,  implementation,  and  administration. 

In  the  final  analysis  the  corporate  information  system  and  software  invest- 
ment is  protected  by  the  user  (people).  Multiple  strategies  are  necessary  to 
heighten  people's  awareness  of  and  commitment  to  protecting  corporate 
information: 

Background  investigation  prior  to  hiring  in  order  to  increase  the  prob- 
ability of  employee  trustworthiness. 

New  employee  acknowledgement  of  security  responsibility  upon  hiring. 

Definitive  corporate  information  security  policy  promulgated  by  top 
management  and  kept  current. 

A  program  of  employee  education  to  small  groups  and  at  frequent 
intervals. 

Security  performance  evaluation  as  part  of  the  annual  and  merit  review 
process,  with  employee  reacknowledgement  of  security  responsibilities. 

Publication  of  a  corporate  code  of  conduct  that  has  clear  sanctions  for 
abuses. 

Separation  of  sensitive  duties  among  employees  to  minimize  individual 
fraud  and  make  collusion  very  difficult. 
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As  part  of  termination  procedures,  security  debriefing  and  acknowl- 
edgement of  postemployment  responsibilities  with  repect  to  corporate 
information. 


B.       ADMINISTRATION  NECESSARY 


•  There  are  a  number  of  administrative  strategies  available  that  primarily 
relate  to  the  physical  security  of  corporate  information  systems  and  software. 

•  A  software  librarian  ensures  the  authorized  possession,  distribution,  and 
documentation  control  of  corporate  software. 

•  An  adequate  fire  protection  system  (preferably  halon)  affords  a  high  degree  of 
systems  and  software  survivability. 

•  A  strategy  of  storing  two  copies  of  the  corporate  information  system  and 
application  software  (encrypted)  in  separate  locations  assures  disaster 
recovery. 

•  Corporate  information  system  applications  software  can  be  protected  through 
copyright  and  trade  secret  law. 

•  Insurance  is  becoming  a  more  popular  strategy  for  giving  additional  protection 
to  the  corporate  software  investment. 
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C.       TECHNOLOGY,  THE  CORE  DEFENSE 


•  The  importance  of  security  has  spawned  a  number  of  technology  options,  some 
still  emerging,  which  are  at  best  struggling  to  keep  pace  with  technogical 
innovation  in  distributed  processing,  LAN,  and  micro-driven  office  automation 
intelligent  terminals. 

•  Some  security  monitors  are  more  successful  than  others  and  add  on  to 
already-inefficient  existing  operating  systems.  These  monitors  emulate 
security  kernels  and  provide  a  satisfactory  degree  of  mediation  between 
subjects  (users)  and  objects  (resources). 

•  Telephone  access  controllers  are  the  most  recent  addition  to  mediating  access 
between  users  and  hosts  in  rapidly  expanding  remote  telecommunications 
(primarily  dial-up)  networks. 

•  Microprocessor-encapsulated  "smart"  cards  promise  to  add  another  layer  of 
validation  for  the  user  and  to  add  authentication  for  interconnections  and 
transmissions  between  users  and  processors. 

•  Encryption  (software  and  hardware)  is  on  a  rapidly  decreasing  cost  curve. 
Private  and  eventually  public-key-driven,  encryption  is  becoming  a  viable 
strategy  for  secure  transmission  and  authentication  of  information  between 
and  at  distributed  processing  nodes. 

•  Fiber  optics,  particularly  for  new  construction,  offers  highly  cost-effective 
security,  particulary  for  LANs. 

•  A  number  of  products  are  becoming  available  or  already  exist  to  protect  the 
corporate  system  and  software  investment  as  microprocessors  proliferate 
among  corporate  users.  The  two  most  promising  appear  to  be  the  PROLOCK 
secure  disk  storage,  which  prevents  access  to  and  duplication  of  vendor- 
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puchased  or  in-house-developed  system  and  applications  software,  and  the 
Intel  16-bit  iAPX286*  microprocessor,  which  incorporates  hardware  security 
features  and  should  soon  permit  the  development  of  an  efficient  UNIX 
security  kernel  for  standalone  and  LAN  computing  environments. 

•  Many  strategies  are  available  for  designing  security  into  system  and  applica- 
tion software.  Placing  all  security-related  functions  in  an  operating  system 
kernel,  providing  memory  protection  by  segmenting  virtual  memory,  imple- 
menting privileged  execution  domains,  and  mediating  access  through  a  refer- 
ence monitor  are  all  strategies  for  developing  secure  coporate  information 
operating  systems. 

•  Security  strategies  for  development  and  application  software  include:  formal 
structured  design  methodology,  structured  programming,  data  abstraction 
including  information  hiding,  and  separated  and  formal  validation  to  uncover 
trapdoors  and  possible  Trojan  horse  attacks.  Another  strategy  relates  to 
maintenance  procedures,  including  formal  change  control;  periodic  matching 
of  production  programs  to  the  master  library  copy;  and  utilization  of  software 
aids  that  permit  decompilation,  disassembly,  and  testing  for  dead  code,  unspe- 
cified or  unusual  output,  or  cleared  scratch  pad  memory  and  auxiliary  storage. 
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APPENDIX  A:  DEFINITIONS 


•  Access:  The  ability  to  use  a  resource. 

•  Access  Control:    Granting  a  suitably  authorized  request  for  access  to  infor- 
mation system  resources. 

•  Attack:  An  attempt  to  effect  unauthorized  access. 

•  Audit:  Use  of  a  log  in  determining  whether  access  is  controlled  in  accordance 
with  management  policy  and  generally  accepted  accounting  practices. 

•  Authenticate:   To  determine  the  accuracy  of  a  user's  identity  or  a  message's 
certification  of  its  time  or  place  of  origin. 

•  Authorize:  To  permit  the  use  of  a  sensitive  resource. 

•  Browse:    Unauthorized  reading  of  data  in  the  hope  of  attaining  useful  infor- 
mation whose  specific  location  is  not  known  by  the  browser. 

•  Category:  An  aggregation  of  sensitive  resources  formed  to  facilitate  authori- 
zation. 

•  Class:    A  level  of  authorization  applied  to  a  set  of  users.  These  users  may 
read  all  data  whose  class  is  equal  to  or  less  than  their  own. 
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Create:  Develop  and  associate  a  resource  with  an  identifier. 


Destroy:  Cause  a  resource  to  cease  to  exist. 

Diddle:  To  write  (data)  with  an  intent  to  confuse  or  deceive. 

Disconnect:  To  deny  access  to  the  system  resulting  from  repeated  attempts 
to  have  a  user's  claim  of  identity  authenticated. 

Discretionary  security:  Asssignment  of  rules  to  specify  who  is  allowed  what 
type  of  access  to  which  objects.  Discretionary  security  allows  those  who  own 
a  segment  of  data  to  decide  who  can  have  access  to  it. 

Encryption:  A  process  for  protecting  program  and  data  that  must  be  stored  on 
or  transmitted  over  media  that  cannot  be  otherwise  protected  against  unauth- 
orized monitoring. 

Cryptography:  A  form  of  access  control  applicable  to  sensitive  resources  that 
are  beyond  the  scope  of  program  access  control  and  physical  access  control. 

Exhaustion:  An  attack  carried  out  by  entering  all  possible  values  (for 
example,  of  a  password)  and  trying  to  supply  a  secret  quantity  unknown  to  the 
hacker. 

Group:  A  set  of  users  selected  to  facilitate  authorization. 

Hacker:  An  individual,  usually  outside  a  corporate  organization,  who  attempts 
to  gain  unauthorized  access  to  the  corporate  information  system  through 
random  or  systematic  attacks. 

Identifier:  a  value  uniquely  associated  with  a  user,  a  group  of  users,  or  a 
sensitive  resource. 
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I  ndi  vidua  I  -based  Authorization:  Permitting  or  denying  access  to  users  ac- 
cording to  previously  recorded  individual  authorization,  with  that  interaction 
accompanying  a  request  for  access  (individual  rather  than  resource  based). 

Interval:  The  maximum  length  of  time  that  a  user  may  use  a  particular  value 
(such  as  a  password)  as  data  for  authentication. 

Kernel:  A  security  kernel  is  a  hardware/software  mechanism  that  contains  all 
security-relevent  operating  system  functions.  Implementations  may  contain 
one  component,  called  the  kernel,  which  enforces  a  specified  set  of  security 
rules.  Other  components  are  called  trusted  processes. 

Last-used:  The  time  log  when  a  particular  user  most  recently  made  use  of  the 
system. 

List:  A  set  of  authorizations  that  are  applied  to  one  resource  or  to  a  set  of 
resources. 

Log:  Data  recorded  about  authorizations  and  requests  for  access. 

Mandatory  security:  The  enforcement  of  a  security  policy  that  uses  a  fixed 
security  classification  such  as  top  secret,  secret,  etc.  to  determine  access. 

Masquerade:  Someone  posing  as  another;  a  mechanism  used  in  an  attack. 

Password:  Data  a  user  provides  for  purposes  of  authentication. 

Penetration:  An  unauthorized  access  that  gives  the  hacker  control  of  the 
system;  a  type  of  attack. 

Physical  data:  Anything  other  than  magnetically  recorded  data  to  which  the 
system  can  control  access;  concerns  portable  media  in  computer  centers  and 
libraries. 
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Program:  Magnetically  recorded  data  to  which  the  system  can  control  access. 

Protocol;  A  procedure  for  communicating  between  two  or  more  nodes  of  a 
network. 

Query;  A  request  for  information  from  a  data  base;  specifically  one  for  data 
collected  from  a  number  of  records,  and  presented  as  a  sum,  average,  etc. 

Read;  To  acquire  data. 

Reduce:  To  process  logs  so  as  to  extract  only  the  data  needed  for  auditing 
purposes. 

Reference  Monitor:  A  computer  system  component  that  checks  each  refer- 
ence from  subject  (users  or  program)  to  object  (file,  device,  user,  or  program) 
to  determine  if  the  access  is  valid. 

Request:  An  application  for  the  right  to  affect  access  to  sensitive  resources. 

Residual:  Data  left  after  a  process  is  completed;  undestroyed  residual  data  is 
subject  to  attack  by  a  browser. 

Resource:  Any  service,  capacity,  device,  or  data  accessible  by  a  system. 

Resource-based:  Permitting  or  denying  access  to  users  according  to  their 
ability  to  provide  authenticating  data  and  association  with  a  resource  request. 

Salami:  An  attack  involving  many  small  amounts,  for  example  a  misappropri- 
ation of  very  small  sums. 

Scavenge:  Conduct  an  attack  by  browsing  through  discarded  printed  material. 
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Sensitive:  A  resource  of  sufficient  value  such  that  access  control  is  desired. 


Sign;  Appended  to  a  collection  of  data;  authenticates  data  indicative  of  the 
sender,  place,  time,  origin,  etc. 

System  Integrity:  The  extent  to  which  a  system  resists  penetration. 

Ticket:  An  authorization  that  is  associated  with  a  user  for  a  specific  time  or 
limited  number  of  accesses. 

Time  Bomb:  A  routine  that  for  the  programmer's  own  purposes  executes  an 
attack  after  a  set  time. 

Time  Stamp:  Authenticating  data  indicative  of  the  time  that  an  event  took 
place  (for  example,  the  sending  of  a  message). 

TOCTTOU  (time  of  check  to  time  of  use):  Failing  to  protect  data  between 
the  time  that  the  system  validates  its  data  and  the  time  that  the  system  uses 
the  data,  thus  permitting  penetration. 

Tracker:  A  query  or  set  of  queries  designed  to  make  it  possible  for  a  user  to 
set  data  base  information  without  proper  authorization. 

Trap-door:  An  exit  or  hook  that  permits  easy  access  to  a  system  or  new  code 
to  be  easily  added  to  a  program;  a  mechanism  used  in  an  attack. 

Trojan  Horse:  A  routine  that  does  not  contribute  to  the  documented  function 
of  the  program  that  contains  it,  but  instead  is  something  the  program's 
developer  would  prevent  if  possible  (a  routine  that  takes  advantage  of  the 
program's  security  level  to  effect  unauthorized  access). 

Trusted:  A  component  that  can  be  relied  on  to  enforce  the  relevant  security 
policy. 
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Use:  Access  to  a  resource  for  the  purposes  for  reading,  writing,  creating,  or 
destroying  it. 

Write:  To  modify  data. 

Zap:  An  unauthorized  modification  of  a  program  that  the  user  does  not  have 
authorization  to  use. 
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APPENDIX  B:         RELATED  INPUT  REPORTS 


•        New  Issues  In  Computer  Security,  December  1982. 
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CATALOG  NO.  IUISIPIRI  I  I  1 


PROTECTING  THE  CORPORATE  SOFTWARE  INVESTMENT 
VENDOR  QUESTIONNAIRE 

What  products /services  do  you  offer  related  to  program /data  security? 

Number  of 

Product  Name  Users  Price  Range 

1.    

2.       

3.       

4. 


What  mainframe /mini  operating  systems  do  you  support? 

IBM  Burroughs    Honeywell  DEC  H  P 

Mainframe/      

Minis 


Operating 
Systems 
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3.      What  are  the  levels  of  program /data  security  that  your  products  provide? 
CZI  Personal 


□ 


□ 


Terminal 


Program 


□  Fil 


□ 


Data 


4.      How  are  audit  trails  provided? 
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CATALOG  NO.  BBEE  I  I  1 


How  does  the  product  provide  for: 
Multi-CPU  Environment /Site 


Multisite  Environment 


Distributed  Environment 


To  what  extent  does  the  product /system  provide  for  protecting  the 
program /data  by  encryption? 


[Zl  None  CH  DES  EH 


Other 


What  modifications  are  necessary  to  incorporate  the  product  into  the 
operating  system  environment? 


None 


□ 
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CATALOG  NO.  lUSlPlRl 


8.      What  is  the  overhead  associated  with  the  use  of  your  product? 
I    I  System  Efficiency:   


□  u 


ser  Access 


9.      What  products  do  you  offer  in  relation  to  program  /data  security  for 
personal  computers? 


□ 


None 


□  (Compatible)  CH  Apple  [Zl  DEC  EH  Other; 


(Compatible)  L_l  Apple 


Product 
Name 

Operating 
System 

Users 

Price 
Range 


10.     How  is  program /data  security  accomplished  for  personal  computers? 
1    1  Hardware 


□ 


Software 


□  di 


□ 


SC 
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CATALOG  NO.  IUBIPIRI  I  1  I 

11.  Who  (up  to  3)  are  your  major  competitors? 

Mainframe /Mini  Micro 
Vendor  1.  

2.     

3.     

12.  What  are  the  trends  you  see  in  providing  program/data  security? 

Hardware   

I    1  Software 
1    1  Market 
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